SPAM - The Issues, Impact and Reducing SPAM (Part 2)

This is Part 2 of an article to help improve the understanding of the impact and problems created by Spam. This section focuses primarily on things that can be done to help reduce the impact of Spam for consumers, ISP's, and corporations. There is no 100% with Spam reduction, but things can be done to improve the current status and condition of Internet email reliability.

If you missed the first part of this series please read SPAM - The Issues, Impact and Reducing SPAM (Part 1).

Things Consumers can do to Protect Themselves and Reduce Spam Concerns


  • Make sure your equipment has the latest software patches.
  • Insure all machines have updated Antivirus and Anti-Spyware software.
  • Use Firewalls to protect systems.
  • Do not assume the 3 steps above are running automatically, check and make sure!
  • If you have a web site, don't use mailto: tags for your email addresses. Automated programs known as "Web-Bots" sweep Internet sites and harvest these addresses for use and for sale. There are several tactics like scripts or images that make harvesting complex or impossible.
  • Consider using one email address for private use (friends and business associates), and a second address for signing up for things you may have interest in, but where your email address might potentially be used or sold. This technique allows you to easily go through your primary email quickly, and use the secondary account to rapidly go through the stuff that is probably junk!
  • Check to see if your Internet provider has methods to help stop Spam before you ever download it from their servers. Most providers have at least some form of Spam reduction upstream from your email box, but it is impossible to stop it all, because it is a fine line between aggressively stopping Spam and blocking legitimate email. Some ISP's provide filters that hold potential Spam before it gets to you, and provide a web browser based interface that allows you to quickly insure nothing you needed was falsely identified. You just delete the junk, and pass through any email you wanted. This saves you download time which is especially precious if on a slower connection like dial-up. This type of service ranges from free to just a few dollars per month depending on the provider. (See Diagram below)
  • Try to use an email client that incorporates "Bayesian Filtering". These filters calculate the probability of a message being Spam based on its contents, and then learn from email you mark as Spam. (See Diagram below)
  • If you report Spam email, be sure to supply full headers to your ISP or the agency your reporting to. Just forwarding the offending email does no good, and it is usually ignored.
  • Be careful what information you put on the Internet. I recently had a person complaining to me about the huge volumes of Spam they received. I did some simple research with Google, and was able to tell them things about their family that scared them. Among other things, they had signed a "Who’s Who" listing and left way to much information behind.
  • Consider a unique email address. For example if your name is John Smith, try not to use an email address like jsmith@domain.com. Consider something like jsmith34@domain.com. Spammer's use dictionary attacks attempting to send to common addresses. If the email does not bounce back as "user unknown", they know they have a valid address to use and sell.

Things ISPs and Corporations can do to Reduce Spam

Of course not all the items I'm about to cover will work in all email infrastructures, but this paper outlines some of the things that can be done to reduce SPAM problems.

Insure email administrators have a good knowledge of the RFCs (Request for Comment) for both Email and DNS, and they keep up with any changes being addressed. These are guidelines for proper implementation and compliance with standards for communicating with other servers on the Internet.

These tips are 'best practices' and technology approaches that should help you prevent Spam from originating within your own users. The focus here is on newer technologies, and assumes that your organization has already implemented base-level SMTP protections such as closed-relay mail systems. 

1. Port 25 blocking of Dynamic IP Addresses

This is something typically implemented by ISPs. What it does is take any Port 25 bound SMTP traffic coming directly from an end users computer and destined directly for a specific email address, and drops the information at the router upstream from the user. This stops infected computers from sending out Spam to the Internet. For users that want to send SMTP traffic out from a real email server, they are usually required to obtain a "static IP address" or "Smart Host". Smart Hosting means they must send their email out through the ISP's email gateway. This is very effective in reducing Spam spewing from the ISP's network, and gains back a high percentage of precious bandwidth. I recently witnessed the implementation of Port 25 blocking on a medium sized ISP's network, and it resulted in a 60% reduction in SMTP garbage spewing out from the ISP's edge routers.

2. SMTP Authentication

SMTP Authentication (SMTP Auth) is used to authenticate the sender of outbound mail. This is one of the toughest things to implement, but one of the most effective ways to prevent outbound spamming. SMTP Auth requires a username and password to prevent unwanted outbound e-mail from being sent through your email server. This also helps since the message-ID can be logged and the logs allow for easy identification. SMTP Auth is a widely adopted standard that has been accepted by the Internet community as defined by IETF RFC2554, and supported in most e-mail clients today. You need to insure that all email clients being used support SMTP Auth. The reason this can be tough to implement is because it involves getting all customers to make client side changes.

3. Sender Is Valid Recipient (SIVR)

SIVR gives more control over outbound e-mail and who the sender claims to be. SIVR requires the "From" address of the e-mail to be a valid recipient in the organization's domain. Implementing SIVR together with SMTP Auth, can force the sender to use their own true identity for outbound e-mail and accordingly reject delivery of any e-mail that appears to have a false 'spoofed" return address, in particular one that does not match the authenticated user name.

4. Securing The SMTP Connection

Even with SMTP Auth and SIVR, an additional concern remains regarding the security of the SMTP connection. Usernames and Passwords are not encrypted in the SMTP Auth protocol. That means anybody monitoring the network can easily pick up the Username/Password pair for malicious use. That makes it important to implement STARTTLS encryption for encrypting the SMTP session. By enabling Secure Socket Layer (SSL) based encryption for the SMTP layer, you can require encrypted connections for all clients in order to protect the confidentiality of the Username/Password pair during the SMTP session. This is a fairly common capability in most e-mail clients and should not pose a problem for most end users. If you’re thinking about implementing STARTTLS, consider implementing this at the same time as SMTP Authentication to eliminate the need to change all clients twice.

5. Challenge Response

Good email typically comes from "known senders" (friends, family and associates) and the rest in theory would be junk. With challenge/response, the first time an email is sent to a recipient their email server sends an email back to the sender to validate the fact that they did send an email. When the sender responds to the validation request, their email address becomes white-listed as a real human sender, and not an automated Spam. This method works well but can cause problems for actual newsletters and lists you want.  Generally the recipient can white list valid lists as OK for delivery. This method makes for a strong Spam detection rate.

6. Masquerading The Sender

An alternative to rejecting e-mail messages that fail the SIVR test is to offer Sender Masquerading based on the authenticated end-user. Sender Masquerade allows the "From" address of outbound e-mail to be rewritten using the actual authenticated end-user's e-mail address. Sender masquerading can prevent an end-user from using an alternate, or forged e-mail address in the organization's mail system.  Typically, this information can be retrieved from either an internal or external source, such as a Lightweight Directory Access Protocol (LDAP) based directory server. By re-writing the "From" address, it would be easy to pinpoint the source of generated Spam, as the "From" address will clearly identify the problem account, which can then either be disabled or reset with a new password in the case of a compromised account.

7. Connection Rate Limiting

Another technique organizations can use to help control outbound Spam and virus-bearing messages is to limit the connection rates on their SMTP servers. Typical end users send only a few e-mails every few minutes, whereas Spammer’s can churn out hundreds or thousands of e-mails in minutes. This commonly occurs when an infected desktop computer is being exploited for propagating virus messages and when enterprises implement a rate limiter that allows only a few SMTP connections per minute outbound Spam traffic cannot get out and can be detected.

8. Outbound Spam And Virus Scanning

Outbound virus and Spam scanning is an important way to help prevent outbreaks from emanating internally on your network. The best way to prevent theses threats from spreading in an organization's outbound e-mail traffic is to scan for Spam and viruses both on the inbound and outbound SMTP gateway. In particular, Spam scanning can be used by the e-mail administrator to identify trends, to monitor outbound patterns of e-mail by end users, and to quickly target problem end users.

9. Removing Bad Attachments

An additional protection layer on outbound SMTP, you may also want to strip attachments from e-mails when they are known to contain malicious content. This will help prevent the spread of new viruses before they are identified by virus scanning. Examples of file types that an enterprise should consider stripping from e-mails include vbs, pif, and scr, which are well known as file types that have been used to transmit e-mail-borne viruses in the past.

10. Bayesian filtering

Even with other Spam filtering measures upstream at your service provider, some Spam slips through. Bayesian Spam filters calculate the probability of email being Spam based on its contents. Bayesian filtering learns from Spam you receive and mark as Spam (Junk). Additionally it learns what good mail looks like by what you keep. I always insure that I use an email client with Bayesian filtering, because after time it learns and moves junk mail into another folder that you can quickly glance at and delete unwanted email.

11. White Listing / Black Listing

Another method is white-listing and blacklisting. Many Spam filters allow you to white list email that is wrongly suspected as Spam, and also allow you to blacklist things that are actually Spam. White listing known mail servers on the Internet at the SMTP gateway allows email coming from known servers to not get caught in the other methods used to reduce Spam.

12. Avoid responding to Spam

Not only should you avoid purchasing from Spammers, you should also avoid responding to Spam. Some Spam messages have the ability to respond if you wish not to receive more emails from the Spammer. A small percentage of these could be true, but a majority of the responses just prove that your email is a valid address, and will actually cause you to get more Spam.

13. Avoid using e-mail addresses on your website.

E-mail addresses on websites should be un-harvestable by posting them as graphic elements or scripts instead of mailto: tags, which Spammer's automatic search engines can read. Companies that provide an email link on their site should consider a server side script button rather than a link to an e-mail address. Here is a link to "Master Spambot Buster" a server side CGI script. http://willmaster.com/master/spambotbuster/index.shtml. Here is another link with some good tips, http://www.bronze-age.com/nospam/

Laws and Legislation

There are few laws regarding Spam, and one of the biggest problems is that Spam transcends legal boundaries. There have been cases of convicted Spammer's being fined heavily, but many still operate without consequence. Since Spammers often use others computers to do their deeds, catching them is often difficult. There is muchwork needed in this arena.

Summary

Today's enterprise faces new challenges in the war on Spam, but you have an opportunity to significantly reduce the volume of Spam on the Internet from inside your company. The list presented here outlines several techniques you can use to reduce the outbound Spam and virus-bearing e-mail messages purposefully or inadvertently generated by your end user population. As stated in Part 1 of this article the impact of Spam is probably one of the biggest challenges for the modern Internet. It's really not the advertising that is the big problem, but the tactics used to propagate these advertising efforts that is the real concern. Maybe I'm just an optimist, but I do believe things will get better. Just like the original cars had many problems, modern cars can take you off-road and do it in comfort and style. The Internet still is like one of those early cars, but as time progresses so will the stability of the Internet, but right now "it's a mess"!

References

Seven Tips For Avoiding Insider E-Mail Threats
By Jeff Brainard, Mirapoint

Sites of Interest

CAUCE, The Coalition Against Unsolicited Commercial Email
http://www.cauce.org/

Network Abuse Clearinghouse
http://www.abuse.net/

The Spamhaus Project
http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues

Spam Abuse.net
http://spam.abuse.net/

Spam Help
http://www.spamhelp.org/links.php

Spam.org
http://www.spam.org/

If you missed the first part of this series please read SPAM - The Issues, Impact and Reducing SPAM (Part 1).

About Jeff McDermott

Jeff has been involved with computers and technology since 1977 and currently has over 27 years of experience. He recieved his initial computer training and experience while serving in the U.S. Army. He has studied computers through various college and industry courses over the years, has taught courses in computing, has been Internationally published for his work with both software & hardware development for the physically and mentally handicapped. Jeff has been a computer consultant, helping many small to medium sized businesses take advantage of computer technology. Jeff has served as a security specialist and firewall administrator/engineer for a major Fortune 300 company. Jeff has a very diverse computer background, with the following areas of influence: Programming & Software Development; Networking/LAN/WAN Web Development; Information Security; Relational Database Design; Consulting; Hardware design and support; Years of management in the technical arena; I.T. Director; Creator/Webmaster of securitypanel.org for several years. Jeff is currently is the Supervisor of the Network Operations Center of a major ISP, and additionally heads up the advanced technical support team.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred VPN solution?